[Secure-testing-team] Bug#512608: [SA33617] Typo3 Multiple Vulnerabilities

Giuseppe Iuculano giuseppe at iuculano.it
Thu Jan 22 07:39:10 UTC 2009 

Package: typo3-src
Severity: grave
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

The following SA (Secunia Advisory) id was published for Typo3:

SA33617[1]

> DESCRIPTION:
> Some vulnerabilities have been reported in Typo3, which can be
> exploited by malicious people to bypass certain security
> restrictions, conduct cross-site scripting and session fixation
> attacks, and compromise a vulnerable system.
> 
> 1) The "Install tool" system extension uses insufficiently random
> entropy sources to generate an encryption key, resulting in weak
> security.
> 
> 2) The authentication library does not properly invalidate supplied
> session tokens, which can be exploited to hijack a user's session.
> 
> 3) Certain unspecified input passed to the "Indexed Search Engine"
> system extension is not properly sanitised before being used to
> invoke commands. This can be exploited to inject and execute
> arbitrary shell commands.
> 
> 4) Input passed via the name and content of files to the "Indexed
> Search Engine" system extension is not properly sanitised before
> being returned to the user. This can be exploited to execute
> arbitrary HTML and script code in a user's browser session in context
> of an affected site.
> 
> 5) Certain unspecified input passed to the Workspace module is not
> properly sanitised before being returned to the user. This can be
> exploited to execute arbitrary HTML and script code in a user's
> browser session in context of an affected site.
> 
> Note: It is also reported that certain unspecified input passed to
> test scripts of the "ADOdb" system extension is not properly
> sanitised before being returned to the user. This can be exploited to
> execute arbitrary HTML and script code in a user's browser session in
> context of an affected website.
> 
> SOLUTION:
> Update to Typo3 version 4.0.10, 4.1.8, or 4.2.4.
> 
> Generate a new encryption key (see vendor's advisory for more
> information).
> 
> PROVIDED AND/OR DISCOVERED BY:
> The vendor credits:
> 1) Chris John Riley of Raiffeisen Informatik, CERT Security
> Competence Center Zwettl
> 2) Marcus Krause
> 3, 4) Mads Olesen
> 5) Daniel Fabian, SEC Consult
> 
> ORIGINAL ADVISORY:
> TYPO3-SA-2009-001:
> http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/

If you fix the vulnerability please also make sure to include the CVE id
(if available) in the changelog entry.

[1]http://secunia.com/advisories/33617/

Cheers,
Giuseppe

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkl4IpcACgkQNxpp46476ar0ngCfSRgis+Em7SqxFn/3biLtqRVt
/noAn0W0Y1T7EDOytyIfw4l63Ix+3yEE
=PAgw
-----END PGP SIGNATURE-----

More information about the Secure-testing-team mailing list